Executive Summary

Cato Networks’ CTRL team published a detailed post‑incident report on the Poisson campaign, an operation that leveraged free‑tier infrastructure to compromise four French victims over 33 days. The analysis is unique because it reconstructs every command issued by Poisson from March 30 to May 1, 2026, using live telemetry and command history rather than forensic remnants alone.

Operational Overview

The attacker, codenamed Poisson, operated on a schedule that matched school hours: activity started after 15:00 CET with short periods of inactivity in the middle of the day. He used an IONOS VPS in Berlin (IP 217[.]154[.]217[.]139) as his command‑and‑control (C2) host and hosted payloads on four Backblaze B2 buckets, all free tier. The C2 infrastructure was discovered through Havoc beacon patterns and the domain wawsenti[.]duckdns[.]org.

On day one (March 30), Poisson gained an administrative foothold on a French automotive small business machine in 83 minutes, deployed a scheduled task for persistence, and installed a custom‑compiled RustDesk remote desktop tool. By day two, he was injecting shellcode into Explorer.exe on a Windows 11 host belonging to a small business owner but struggled repeatedly with User Account Control (UAC) elevation attempts that required user interaction.

The Keylogger Phase

On April 2, Poisson shifted focus from persistence to credential theft by deploying KeyL.zip, a 70‑line Python keylogger that logged all keystrokes to a local text file. The attacker manually retrieved the logs via Havoc; no exfiltration server or beacon was used. The keylogger captured approximately 3,000 characters across multiple sessions.

Persistence Beyond C2

On April 7, Poisson installed OpenSSH Server and Tailscale VPN on a victim machine, creating a mesh that allowed SSH reverse tunneling (ssh -R) independent of the public C2. When the Havoc team took down the C2 server on April 8 (IP 217[.]154[.]162[.]45), Poisson’s access survived, demonstrating that taking down a command‑and‑control host is no longer sufficient for remediation.

Return and Cleanup

The attacker restored the C2 on April 26 and ran 145 additional commands. He harvested keylogger output repeatedly, enumerated certificate stores with certutil -scinfo, and executed a .NET application from Thales.zip. After deleting all forensic artifacts, Poisson left the keylogger running until the final command on May 1.

Threat‑Intelligence Indicators

• IP: 217[.]154[.]217[.]139, 217[.]154[.]162[.]45
• Domains: wawsenti[.]duckdns[.]org, pois43[s3[.]eu-central-003[.]backblazeb2[.]com, w456w5[s3[.]eu-central-003[.]backblazeb2[.]com
• Files: SHA256 hashes for sys.vbs, senti.dll, RustCustom.zip, SSH.zip, KeyL.zip, RevS.ps1, Thal.exe

Recommendations for Defenders

1. Detect and block OpenSSH installation on workstations. Windows machines rarely require an SSH server; its presence should trigger alerts.

2. Monitor Tailscale activity. Unexpected tailscale.exe processes or new VPN nodes on endpoints warrant investigation.

3. Watch for scheduled tasks running at highest privileges. Scheduled task “TaskAdmin1” is a classic persistence vector used by Poisson.

4. Identify power configuration changes. Commands like powercfg /change standby-timeout-ac 300 keep machines awake; flag such modifications.

5. Block DuckDNS subdomains and known C2 IP ranges. The attacker leveraged free DNS services to obfuscate traffic.

Conclusion

The Poisson campaign illustrates the evolving threat landscape: even low‑skill operators using free tools can build resilient, C2‑independent access and harvest valuable credentials. Defenders must look beyond taking down a command‑and‑control host and focus on uncovering and dismantling persistence mechanisms that survive such takedowns.